Brian Beckerle - Computer Sciencegoldbe/teaching/HW55813/brian.pdf · How do we get the files onto...
Transcript of Brian Beckerle - Computer Sciencegoldbe/teaching/HW55813/brian.pdf · How do we get the files onto...
![Page 1: Brian Beckerle - Computer Sciencegoldbe/teaching/HW55813/brian.pdf · How do we get the files onto the phone? iOS restricts where users can place files MobileBackup Daemon that creates](https://reader035.fdocuments.us/reader035/viewer/2022071008/5fc5e474e29ccb27822060c1/html5/thumbnails/1.jpg)
Brian Beckerle
![Page 2: Brian Beckerle - Computer Sciencegoldbe/teaching/HW55813/brian.pdf · How do we get the files onto the phone? iOS restricts where users can place files MobileBackup Daemon that creates](https://reader035.fdocuments.us/reader035/viewer/2022071008/5fc5e474e29ccb27822060c1/html5/thumbnails/2.jpg)
Latest iPhone jailbreak, iOS 6.1
Patched in latest version iOS 6.1.34 of 6? Exploits fixed
“most elaborate jailbreak to ever hack your phone”‐forbes
Used 800,000 times in 6 hours after its release
![Page 3: Brian Beckerle - Computer Sciencegoldbe/teaching/HW55813/brian.pdf · How do we get the files onto the phone? iOS restricts where users can place files MobileBackup Daemon that creates](https://reader035.fdocuments.us/reader035/viewer/2022071008/5fc5e474e29ccb27822060c1/html5/thumbnails/3.jpg)
iOS preventsInstalling or booting into a modified/different OSRunning unsigned apps▪ Main reason for jailbreaking (Cydia)
Apps from running outside a secure sandbox▪ Apps can’t use root permissions, do anything outside assigned entitlements
Jailbreaking allows you to do all thesePrivilege escalation, also need to bypass other security
![Page 4: Brian Beckerle - Computer Sciencegoldbe/teaching/HW55813/brian.pdf · How do we get the files onto the phone? iOS restricts where users can place files MobileBackup Daemon that creates](https://reader035.fdocuments.us/reader035/viewer/2022071008/5fc5e474e29ccb27822060c1/html5/thumbnails/4.jpg)
iOS has evolved into a secure modern operating systemASLRCode‐signingDEPSandboxing/Privilege SeparationMade even more difficult by reduced attack surface▪ Stripped down version of OS X▪ No Java, Flash▪ Some file types rejected by Mobile Safari
![Page 5: Brian Beckerle - Computer Sciencegoldbe/teaching/HW55813/brian.pdf · How do we get the files onto the phone? iOS restricts where users can place files MobileBackup Daemon that creates](https://reader035.fdocuments.us/reader035/viewer/2022071008/5fc5e474e29ccb27822060c1/html5/thumbnails/5.jpg)
How do we get the files onto the phone?iOS restricts where users can place files
MobileBackupDaemon that creates and restores backupsCreated by device and interchangeable between devices = not easily signed Normally has path restrictionsLuckily a bug in backup allows symlinks between filepaths
![Page 6: Brian Beckerle - Computer Sciencegoldbe/teaching/HW55813/brian.pdf · How do we get the files onto the phone? iOS restricts where users can place files MobileBackup Daemon that creates](https://reader035.fdocuments.us/reader035/viewer/2022071008/5fc5e474e29ccb27822060c1/html5/thumbnails/6.jpg)
Inserted in var/mobile using symlink trickShell script▪ #!/bin/launchctl submit ‐l remount ‐o /var/mobile/Media/mount.stdout ‐e /var/mobile/Media/mount.stderr ‐‐ /sbin/mount ‐v ‐t hfs ‐o rw /dev/disk0s1s1
Environment Variable▪ LAUNCHD_SOCKET = /private/var/tmp/launchd/sock
![Page 7: Brian Beckerle - Computer Sciencegoldbe/teaching/HW55813/brian.pdf · How do we get the files onto the phone? iOS restricts where users can place files MobileBackup Daemon that creates](https://reader035.fdocuments.us/reader035/viewer/2022071008/5fc5e474e29ccb27822060c1/html5/thumbnails/7.jpg)
Bug in lockdownd▪ Lockdownd provides system info to clients▪ root privileges▪ Bug: change permissions of var/db/timezone to be accessible tomobile
New backup is created▪ Symlink between var/db/timezone and var/tmp/launchd▪ Permissions granted by sending malformed request ▪ Var/db/timezone and therefore var/tmp/launchd are now accessible by all users
▪ Same trick repeated for subfolders: ▪ var/tmp/launchd/sock
![Page 8: Brian Beckerle - Computer Sciencegoldbe/teaching/HW55813/brian.pdf · How do we get the files onto the phone? iOS restricts where users can place files MobileBackup Daemon that creates](https://reader035.fdocuments.us/reader035/viewer/2022071008/5fc5e474e29ccb27822060c1/html5/thumbnails/8.jpg)
Launchd : daemon that deals with launching and shutting down processesMultiple instances, some have root permissionTalk to them through socketsWhich socket you use determines which launchdyou are talking toThe socket we got access to talks to the root launchdLaunches processes with root privileges
![Page 9: Brian Beckerle - Computer Sciencegoldbe/teaching/HW55813/brian.pdf · How do we get the files onto the phone? iOS restricts where users can place files MobileBackup Daemon that creates](https://reader035.fdocuments.us/reader035/viewer/2022071008/5fc5e474e29ccb27822060c1/html5/thumbnails/9.jpg)
System partition is now writableMake another backupLaunchd configuration fileDynamic library that overrides MISValidatesignature method to always return 0An executable
![Page 10: Brian Beckerle - Computer Sciencegoldbe/teaching/HW55813/brian.pdf · How do we get the files onto the phone? iOS restricts where users can place files MobileBackup Daemon that creates](https://reader035.fdocuments.us/reader035/viewer/2022071008/5fc5e474e29ccb27822060c1/html5/thumbnails/10.jpg)
launchd.conf
bsexec .. /sbin/mount ‐u ‐o rw,suid,devsetenv DYLD_INSERT_LIBRARIES /private/var/evasi0n/amfi.dylibload /System/Library/LaunchDaemons/
com.apple.MobileFileIntegrity.plistbsexec .. /private/var/evasi0n/evasi0nunsetenv DYLD_INSERT_LIBRARIESbsexec .. /bin/rm ‐f /private/var/evasi0n/sockbsexec .. /bin/ln ‐f /var/tmp/launchd/sock /private/var/evasi0n/sock
![Page 11: Brian Beckerle - Computer Sciencegoldbe/teaching/HW55813/brian.pdf · How do we get the files onto the phone? iOS restricts where users can place files MobileBackup Daemon that creates](https://reader035.fdocuments.us/reader035/viewer/2022071008/5fc5e474e29ccb27822060c1/html5/thumbnails/11.jpg)
amfi.dylib$ dyldinfo –export amfi.dylib
export information (from trie):[re‐export] _kMISValidationOptionValidateSignatureOnly(_kCFUserNotificationTokenKey from CoreFoundation)[re‐export] _kMISValidationOptionExpectedHash(_kCFUserNotificationTimeoutKey from CoreFoundation)[re‐export] _MISValidateSignature (_CFEqual from CoreFoundation)
![Page 12: Brian Beckerle - Computer Sciencegoldbe/teaching/HW55813/brian.pdf · How do we get the files onto the phone? iOS restricts where users can place files MobileBackup Daemon that creates](https://reader035.fdocuments.us/reader035/viewer/2022071008/5fc5e474e29ccb27822060c1/html5/thumbnails/12.jpg)
http://blog.accuvantlabs.com/blog/bthomas/evasi0n‐jailbreaks‐userland‐component
http://www.forbes.com/sites/andygreenberg/2013/02/05/inside‐evasi0n‐the‐most‐elaborate‐jailbreak‐to‐ever‐hack‐your‐iphone/#
iOS hacker’s handbook –Charlie Miller, Dionysus Blazakis
http://en.wikipedia.org/wiki/IOS_jailbreaking
http://developer.apple.com/library/ios/
![Page 13: Brian Beckerle - Computer Sciencegoldbe/teaching/HW55813/brian.pdf · How do we get the files onto the phone? iOS restricts where users can place files MobileBackup Daemon that creates](https://reader035.fdocuments.us/reader035/viewer/2022071008/5fc5e474e29ccb27822060c1/html5/thumbnails/13.jpg)
http://evasi0n.com/
http://lists.apple.com/archives/security‐announce/2013/Mar/msg00004.html
![Page 14: Brian Beckerle - Computer Sciencegoldbe/teaching/HW55813/brian.pdf · How do we get the files onto the phone? iOS restricts where users can place files MobileBackup Daemon that creates](https://reader035.fdocuments.us/reader035/viewer/2022071008/5fc5e474e29ccb27822060c1/html5/thumbnails/14.jpg)